This documentation is for WSO2 Identity Server 5.3.0 . View documentation for the latest release.
Skip to end of metadata
Go to start of metadata

The responsibility of the federated authenticators is to authenticate the user with an external system. This can be with Facebook, Google, Yahoo, LinkedIn, Twitter, Salesforce or any other identity provider as follows.

Federated authenticators are decoupled from the Inbound Authenticators. Once the initial request is handed over to the authentication framework from an inbound authenticator, the authentication framework talks to the service provider configuration component to find the set of federated authenticators registered with the service provider corresponding to the current authentication request. As an example, a user tries to log in to his email account. So email service provider sends an authentication request to the Identity Server. After going through service provider configuration, Twitter is selected as the Identity Provider for this service provider. Then the Twitter federated authenticator will authenticate the user using Twitter. After successful authentication Identity Server will return the authentication result to the service provider so that user will able to access his emails.

Importance of federated authentications

A federated authenticator has no value unless it is associated with an identity provider. For example, the Identity Server supports SAML 2.0, OpenID Connect, OAuth 2.0 and WS-Federation (passive). The SAML 2.0 federated authenticator itself has no value, it has to be associated with an identity provider who can provide a SAML 2.0 assertion. Google Apps can be an identity provider with the SAML 2.0 federated authenticator. This federated authenticator knows how to generate a SAML request to the Google Apps and process a SAML response from it.

Using WSO2 Identity Server for federation

There are two parts in a federated authenticator.

  • Request Builder
  • Response Processor

Once the federation authentication is successfully completed, the federated authenticator notifies the authentication framework. The framework can now decide that no more authentication is required and hand over the control to the corresponding response builder of the inbound authenticator. Both the request builder and the response processor are protocol aware, while the authentication framework is not coupled to any protocol. See Architecture for more information on this overall process.

Configure WSO2 Identity Server for federation

To navigate to the federated authenticators configuration section, do the following.

  1. Sign in. Enter your username and password to log on to the Management Console
  2. Navigate to the Main menu to access the Identity menu. Click Add under Identity Providers.
    For more information, see Adding and Configuring an Identity Provider.  
  3. Fill in the details in the Basic Information section. 

You can configure the following federated authenticators by expanding the Federated Authenticators section followed by the required subsections.

More Federated Authenticators

Some authenticators such as LinkedIn are not provided OOTB with WSO2 Identity Server but can be downloaded from the WSO2 store and plugged in to work with WSO2 IS. For more information on those authenticators and connectors, see the WSO2 Identity Server Connectors documentation.

Note: OpenID 2.0 has been removed from the base product in this release (WSO2 Identity Server 5.3.0) as it is now an obsolete specification and has been superseded by OpenID Connect. Alternatively, we recommend using OpenIDConnect instead.

Related Topics
  • You can develop your own federated authenticators and plug them into the Identity Server. See Writing a Custom Local Authenticator for more information on how to do this. 
  • Identity Federation is part of the process of configuring an identity provider. For more information on how to configure an identity provider, see Configuring an Identity Provider.
  • No labels